Skip to main content
Hexr’s runtime is organized into five layers, each delivering a distinct set of capabilities to your agents. Understanding these layers helps you know where your protections come from, what you interact with as a developer, and what happens automatically behind the scenes — without any extra configuration on your part.

The five layers at a glance

Layer 1 — Identity foundation

What you get: Every agent process automatically receives a cryptographic SPIFFE identity (X.509 + JWT). This is the trust root that makes everything else possible — no secrets, no API keys, just certificates.

Layer 2 — Observability

What you get: Full OpenTelemetry instrumentation for every agent operation — distributed traces, LLM token counts, tool call latency, and 42 pre-built Grafana dashboard panels — all with zero configuration.

Layer 3 — Platform services

What you get: Authenticated cloud access, agent-to-agent communication, secret storage, LLM prompt scanning, and sandboxed code execution — all available through the SDK, transparently secured by the identity layer.

Layer 4 — Developer experience

What you get: The Python SDK, CLI, and agent decorators you interact with daily. @hexr_agent, hexr build, hexr push, and hexr deploy are your entry points to the whole platform.

Layer 5 — Management

What you get: A web dashboard and REST API for monitoring agents, visualizing identity relationships, managing policies, and tracking compliance — for operators and administrators.
Each layer is independently scalable. Your agent code runs in isolated tenant-{name} namespaces, while platform services run in the shared hexr-system namespace — your workloads never share infrastructure with other tenants.

Layer 1: Identity foundation

Every protection in Hexr flows from this layer. It establishes cryptographic identity for every process, making impersonation and unauthorized access impossible without a valid certificate.

What your agents get

  • A unique SPIFFE ID per agent process (not just per pod)
  • Short-lived X.509 certificates that rotate automatically every hour
  • JWT tokens your agents use to exchange for cloud credentials — without any pre-shared secrets

SPIFFE ID format

# Every agent process gets an ID following this pattern:
spiffe://hexr.cloud/agent/{tenant}/{agent-name}/{process-role}

# Examples:
spiffe://hexr.cloud/agent/acme-corp/research-analyst/main
spiffe://hexr.cloud/agent/acme-corp/content-crew/researcher
spiffe://hexr.cloud/agent/acme-corp/content-crew/writer

Automatic registration

Any pod you deploy with hexr deploy is detected by the Auto-Registrar, which watches for pods with hexr.io/* labels and creates SPIRE entries automatically: 
# Labels that trigger automatic identity registration
metadata:
  labels:
    hexr.io/managed: "true"
    hexr.io/tenant: "acme-corp"
    hexr.io/agent-name: "research-analyst"

OIDC discovery

Hexr publishes a JWKS endpoint that AWS, GCP, and Azure trust natively. This is how your agents get real cloud credentials from JWT tokens — no long-lived keys stored anywhere.

Layer 2: Observability

Every operation your agent performs emits OpenTelemetry data automatically. You don’t write any instrumentation code — the SDK handles it at decoration time.

Telemetry sources

SourceWhat it emits
Python SDK (@hexr_agent, hexr_tool, hexr_llm)Agent invocations, tool calls, LLM spans with token counts
Envoy proxiesmTLS connection metrics, TLS handshake latency
A2A sidecarsTask lifecycle events, message throughput

What gets instrumented

Decorator / callSpan nameKey attributes
@hexr_agenthexr.agent.invokeduration, status, framework
hexr_tool()hexr.tool.invokeservice, region, cache tier hit
hexr_llm()hexr.llm.chatmodel, tokens in/out, latency, cost
Credential cachehexr.cache.lookupL1/L2/L3 hit rates, latency
A2AClienthexr.a2a.sendtarget agent, task state, duration
Traces flow to Jaeger and metrics to Prometheus, where Grafana dashboards with 42 panels surface everything in real time.

Layer 3: Platform services

These are the runtime services your agents call through the SDK. Envoy mTLS proxies protect all communication — there are no API keys between services.

Service mesh

All traffic between your agent and platform services uses mutual TLS, authenticated by the SPIFFE certificates from Layer 1:
Your agent callsReaches
hexr_tool("aws_s3")Credential Injector — verifies identity, checks policy, calls AWS STS
hexr.vault.get("my-secret")Hexr Vault — AES-256-GCM encrypted, SPIFFE-scoped
hexr.gateway.call("tool-name")Hexr Gateway — MCP tool discovery and invocation
hexr.sandbox.exec(code)Sandbox — Firecracker microVM, hardware-level isolation

SDK modules

ModuleImportWhat it gives you
Corefrom hexr import hexr_agent, hexr_tool, hexr_llmDecorator, cloud tools, LLM proxy
Vaultimport hexr.vaultSPIFFE-native secrets — no env vars
Gatewayimport hexr.gatewayMCP tool discovery and invocation
Sandboximport hexr.sandboxFirecracker code execution
Browserimport hexr.browserHeadless Chromium in a microVM
Guardimport hexr.guardLLM prompt and output scanning
A2Afrom hexr.a2a import A2AClientAgent-to-agent communication

Layer 4: Developer experience

This is the layer you interact with. Three commands take your Python function from source to a fully secured, observable Kubernetes deployment: 
# 1. Analyze your code and generate Kubernetes manifests + SPIFFE contexts
hexr build my_agent.py --tenant acme-corp

# 2. Build the container image, scan for vulnerabilities, and push to the registry
hexr push

# 3. Apply the manifests — your pod starts with all 4 containers + identity
hexr deploy
hexr build performs AST analysis on your Python source to discover all agent roles before any code runs. This is how Hexr knows which SPIFFE IDs to register — and why you don’t configure any of this manually.

Layer 5: Management

The dashboard and REST API for operators and administrators.

Dashboard pages

PageWhat you can do
AgentsView all deployed agents with live status, container health, and metrics
Identity graphExplore all SPIFFE IDs and their trust relationships in a WebGL visualization
TracesBrowse distributed traces with full agent identity attribution
PoliciesCreate and update OPA authorization policies with progressive enforcement
ComplianceTrack framework status — SOC 2, NIST, ISO, PCI, EU AI Act
SettingsManage tenant configuration, API keys, and compute credits

Cloud API

The REST API exposes tenant management, compute metering, and programmatic access to all dashboard features. The CLI and dashboard both use it, and you can call it directly for automation.